1. Contact Information 



Department of State Privacy Coordinator 

Margaret P. Grafeld 

Bureau of Administration 

Global Information Services 

Office of Information Programs and Services 



2. System Information 

(a) Date PIA was completed: March 26, 2010 

(b) Name of system: Educational and Cultural Affairs Program Management and Outreach 
System 

(c) System acronym: ECA-PMOS 

(d) IT Asset Baseline (ITAB) number: 2599 

(e) System description (Briefly describe scope, purpose, and major functions): 

The ECA-PMOS is a business umbrella grouping of several systems with varying 
degrees of privacy information and record subjects. The systems support programs 
managed by the U.S. Department of State's Bureau of Educational and Cultural Affairs 
(ECA), in particular, those international education and training programs involved with 
exchange-of-persons between the United States and other countries. ECA-PMOS 
systems (also referenced as system components) are deployed in ECA, at posts, in 
private-sector organizations that are Department of State partners, and on the internet. 

The ECA-PMOS facilitates electronic data transfer and collaboration among all of the 
partner organizations. It also allows users to track and manage the full life cycle of ECA 
programs in order to support ECA's public diplomacy goals. The program life cycle 
includes planning, solicitations, proposals, grants, funding, projects, itineraries, 
participants, results and outreach to exchange alumni. 

ECA-PMOS includes the following systems: 

Academic Exchanges Information System II (ITAB # 4515) tracks grantees and their 
activities for Fulbright and other academic programs. It maintains information on 
participants, organizations and location (US or overseas), and supports inquiries and 
generates reports for management, Congress and the Public. 

Access Microscholarship Program (ITAB # 5098) supports the same-named program 
with the purpose to improve English language skills for bright, disadvantaged 14-18 
year old students worldwide. The specific functions are: 

• Manage Access Microscholarship Program proposals from start to finish by providing 
workflow management for the proposal submission, review and approval process. 

• Provide Access Program performance reporting. 

• Record Access Program funding expenditures. 

• Track activities in support of the Access Program by Posts. 



Alumni Archive (ITAB # 665) is a central repository for ECA Alumni data, housing 
information on alumni of the Exchange programs partially or fully funded by the ECA 
programs from 1970 forward. This consolidated data is used to: 

• Re-engage the alumni and offering them new program opportunities 

• Determine updated contact information for alumni 

• Determine the value of their exchange on the ECA program 

The Alumni Archive application is used to: 

• Identify and acquire new sources of Alumni archival records from the NGOs 

• Extract, transform, and load records into the central Alumni database 

• Provide a web interface that allows all ECA staff, Posts, commissions, & designated 
authorities to easily update records and generate reports 

• Provide an electronic mechanism for outside data sources to submit alumni records 
into the Alumni Archive database on a regular reporting. 

Alumni Affairs Management System (ITAB # 5097) assists the Office of Alumni Affairs 
to manage, track, and report on alumni outreach activity, funding, and strategy success. 
Annually the Office of Alumni Affairs promotes a competition among U.S. Missions for 
funding of alumni-focused project proposals. The Alumni Affairs Management System 
will collect information related to the annual project proposal competition, store historical 
documents, capture the rank order of the proposals after panel, and record other 
relevant program management information. Additionally, the system will provide data for 
program status reporting, including Mission-specific alumni programs and funding 
history, as well as country-specific alumni coordination profiles. 

COINS (ITAB # 4247) provides an automated web-based enrollment system for the 
Department of State's Accident and Sickness Program for Exchanges (ASPE). The 
Department "self-insures" (provides medical benefits to) Participants enrolled in some of 
the Department's exchange programs. Authorized access is restricted both on OpenNet 
and the internet. 

E-Teacher (ITAB # 5045) supports the E-Teacher Scholarship Program in its enrollment 
of teachers of English and teacher trainers from over 60 countries in on-line courses that 
explore five major areas of the academic specialty of Teaching English as a Foreign 
Language (TEFL). It supports the E-Teacher Program in nominee submission, review, 
approval and reporting. E-Teacher automates and secures the following functions: 

• Allow Post users to create, update and submit nominees for review to the E-Teacher 
PMO. 

• Allow E-Teacher PMO staff to review nominees made by RELOs and Post users. 

• Provide the capability to create and print reports via a web interface and generate 
nominee lists. 

• Allow E-Teacher access for PMO staff, RELOs and Post users at anytime via the 
Department's OpenNet. 

English Language Fellows (ITAB # 844) automates Fellow program requests from 
posts and documents the review and selection of English Language Fellow programs. 
Post submits proposals for a Fellow Program via the ELF system. The ELF officers in 
DC and the regional English language officers at Posts review the program proposals 
and select the best qualified programs. The system notifies the designated Grantee 



organization of the status of the programs. That Grantee organization logs into system 
and reviews the selected proposals in order to find candidates to fulfill the program 
requirements (latter is outside scope of this system.) 

English Language Specialists (ITAB # 625) tracks the itinerary and per diem of 
speakers that are selected by English Language Programs Office. The speakers are 
paid to travel to other nations in order to foster the teaching of American Language and 
Civilization at foreign universities and other overseas institutions. The ELS application 
also collects contact and payment information from each artist via email and a web form. 

Eureka (ITAB # 1020) captures funding, participant, and organization information on all 
Citizen Exchanges projects. It tracks exchange projects, itineraries and participants, 
and enables the program office to generate ad hoc reports. Eureka collects data on 
participants and support services (such as entry of DS-2019 data) that are critical to the 
Citizen Exchanges Office. Office staff enters data on program projects. Participant data 
can also be entered directly -- as part of DHS' SEVIS database -- or captured from other 
sources such as health-insurance enrollments and direct transfers from grantee 
institutions. 

Exchange Visitors Database-Enhanced (ITAB #1017) was developed to support 
ECA's International Visitor Program that is administered by the Office of International 
Visitors. The emphasis of the IV Program is to increase the mutual understanding 
between nations through communication at the personal and professional levels. The 
Office develops and coordinates programs for individual visitors or groups of visitors to 
visit the United States. It tracks all IV projects and participants, program costs by project 
and participant and program itineraries. It supports visitor nomination, assignments to 
program agencies and collaboration with program agencies on project design and 
production of program books. The type of International Visitor Program being 
administered determines the way in which the various users interact with EVDB-E. A 
SEVIS module is also included in EVDB-E. Privileged users who are qualified as 
Responsible Officers by the Department of Homeland Security (DHS) are provided with 
the capability to batch and transfer (via FTP) participant data to DHS's SEVIS database. 

Exchange Visitor Information System (ITAB # 900) allows the Office of Exchange 
Coordination and Designation to track and provide statistical data on past exchange 
programs and participants in response to inquiries from Congress and under the 
Freedom of Information Act. The Exchange Visitor Information System provides 
historical information about the Exchange Visitor J-1 visa program, their sponsor, and 
the Participant visits to the United States under these programs. In 2004, current 
information was entered into SEVIS and EVIS was retained for its historical account of 
exchanges. This is a static system and with no updates to the data. 

Executive Office Suite (ITAB # 1019) is a financial tracking and program management 
tool supporting users in the ECA Budget, Grants, and Program Management offices. It 
provides: 

• Tracking and reporting of all budgetary and financial transactions - including detailed 
document tracking and audit trails. 

• Workflow queues that monitor and assign work items and track all commitment types 
and funding transactions through completion. 



• Automated tracking of program versus operational plan, reprogramming limits, 
monitoring of funding and commitments by assigned project numbers, 
reimbursements, advice of allotments, earmarks, and representational funds. 

• Full lifecycle initiation, funding, and management of ECA grants through PM, budget, 
and Grants offices with automatic assignment of users and activities tied to specific 
grant lifecycle phases. 

• Integration with grants.gov 

Federal Exchanges Data System (ITAB # 819) enables the Interagency Working 
Group on U.S. Government Sponsored International Exchanges and Training (IAWG) 
that is housed in the Bureau of Educational and Cultural Affairs, to collect, manage, and 
report data on international exchange programs sponsored throughout the federal 
government. The system enables the IAWG to meet its Congressional mandates to act 
as an information clearinghouse and provide an annual inventory of all federally- 
sponsored international exchange and training activities. 

FSA Eurasia Database (ITAB # 609) was used to track Newly Independent States 
academic exchange projects and participants that were funded by the Freedom Support 
Act, rather than the Fulbright-Hays Act. This is a static system and will shortly be 
retired. 

IV Upcoming Projects (ITAB # 673) processes and reports on International Visitor 
projects and participants. National Program Agencies and Centers for International 
Visitors use the site as a source of information on future ECA/PE/V programs and to 
download project, participant, itinerary, travel and program-request data for projects to 
which they have been assigned. Other State Department offices and selected NGOs 
and private-sector contacts use the site for purposes of planning and requesting 
meetings with incoming visitors. Department of State officers can download final 
itineraries, program schedules and results data for purposes of debriefing returning 
visitors and for follow-up. 

NPA-CIV (ITAB # 619) supports communication among the Department of State's Office 
of International Visitors and the private-sector members of the International Visitor 
network: Centers for International Visitor, National Program Agencies and the National 
Council of International Visitors. National Program Agencies use the system to: (a) 
download project and participant data; (b) search for institutional program contacts 
(resources) throughout the U.S. and create a national itinerary for each project; (c) edit 
and upload the results to the Office of International Visitors for review; (d) transfer the 
data from the Office of International Visitors to participating Centers for International 
Visitors; and (e) download the final master file from the Office of International Visitors 
and print national program books. Centers for International Visitors use the same 
system (configured somewhat differently at installation) to: (a) formulate and transfer 
proposals to NPAs for participation in upcoming IV projects; (b) download project, 
participant, itinerary, travel and other data; and other similar tasks including generating 
reports; (c) create a local appointment schedule for each project; and (d) produce a 
variety of reports needed for local programming (intake sheets, appointment 
confirmation letters, hotel reservations, biographic sheets on visitors, the local program 
book, etc). 



Online Resource Directory (ITAB # 627) includes searchable profiles of private-sector 
partner organizations (program agencies, Centers for International Visitors, etc) and a 
staff directory that can be accessed selectively by program officers and the general 
public and updated online by program organizations with the login credentials. It 
provides business contact information for the Centers for International Visitors, National 
Program Agencies, and Department of State users among the staffs of these 
organizations. RDIV Website (ITAB # 5159) provides a central point-of-access for the 
Online Resource Directory and the IV Upcoming Projects. 

Post EVDB Web (ITAB #1021) provides the capability for Posts to create Contacts, 
Nominees and Projects for the International Visitors Program. The data is hosted in a 
central database repository. The goal of the IV Program is to increase the mutual 
understanding between nations through communication at the personal and professional 
levels. The IV Program Office develops and coordinates programs for individual visitors 
and groups to visit the United States. The Post EVDB Web application allows the Posts 
to nominate visitors to participate on these programs. 

Sevis Lite (ITAB #1016) allows users to enter/update SEVIS-related data (see below for 
information about SEVIS), send it via batch transaction to the Department of Homeland 
Security's SEVIS database, download results to update status and print DS-2019s. 
Sevis-Lite contains data on "beneficiaries", participants and support services (such as 
entry of DS-2019 data) that are critical to ECA/PE/C. ECA/PE/C staff enters data on 
program projects. Participant data can be entered directly - as part of SEVIS - or 
captured from other sources such as health-insurance enrollments and direct transfers 
from grantee institutions. Sevis-Llte is a static system and will shortly be retired. The 
functionality is now incorporated into AEIS II. 

State Alumni (ITAB #617) supports an online community of alumni of U.S. government- 
sponsored exchange programs. It provides opportunities for alumni to network with each 
other, develop their careers, and stay in touch with the Bureau of Educational and 
Cultural Affairs, thus helping to extend their exchange experience. 

In addition, ECA-PMOS references the Department of Homeland Security's SEVIS 
system though that system is not part of the ECA-PMOS umbrella and there is no 
persistent link to that system that is described as follows: 

The Department of Homeland Security's Student and Exchange Visitor Information 
System (SEVIS) tracks and monitors schools and programs, students, exchange visitors 
and their dependents throughout the duration of approved participation within the U.S. 
education system. SEVIS collects, maintains and provides the information so that only 
legitimate foreign students or exchange visitors gain entry to the United States. The 
result is an easily accessible information system that provides timely information to the 
Department of State, U.S. Customs and Border Protection, U.S. Citizenship and 
Immigration Services and U. S. Immigration and Customs Enforcement. 

(f) Reason for performing PIA: 

□ New system 

□ Significant modification to an existing system 



M To update existing PIA for a triennial security reauthorization 

(g) Explanation of modification (if applicable): Not applicable - not a significant 
modification. 

(h) Date of previous PIA (if applicable): June 2007 

3. Characterization of the Information 

The system: 

does NOT contain Pll. If this is the case, you must only complete Section 13, 



[El does contain Pll. If this is the case, you must complete the entire template. 

a. What elements of Pll are collected and maintained by the system? What are 
the sources of the information? 

There are three distinct levels of Pll data for systems within ECA-PMOS: (1) personally 
identifiable information about U.S. Citizens (non USG-employees); (2) contact 
information for USG employees; and (3) information from or about non U.S. persons. 

The first level includes data on U. S. Citizens. Systems included in this level are listed in 
the table immediately below. 



Sub-system 


Pll data element 


Academic Information 


Individual's Name 


Exchanges System II (AEIS II) 


(Last, First, Second Last, Middle Names; Suffix) 




Title 




Position/Occupation Type 




Gender 




Race 




Ethnicity 




Date of Birth 




Birth City 




Birth Country 




Citizenship Country (1 st , 2 nd , 3 rd ) 




Date of Naturalization 




Marital Status 




Spouse's Citizenship Country 




Home Street Address 




Home City Address 




Home Country 




Home State, Zip Code and Congressional District 




Home Email Address 



Sub-system 


Pll data element 




Home Phone Number 
Home Fax Number 
Home Cellular Number 

Visa Type 

SEVIS Number 

Home Institution Name 

Home Institution Country 

Host. Street Address 
Host City Address 
Host Country Address 

Host State, Zip code and Congressional District 

Host Email Address 

Host Phone Number 

Host Fax Number 

Host Cellular Number 

Major Field of Study 

Specializations 

Program Start Date 

Program End Date 


Alumni Archive 


Individual's Name 

(Prefix; Last, First, Second Last, Middle Names; Suffix) 
Suffix 

Sex / gender 
Date of Birth 
Deceased 
Disabled 

Country of Citizenship 
Second Citizenship Country 
Home Street Address 
Home City Address 

Home State, or Province and Country Address 
Home Congressional District 
Business Street Address 
Business City Address 

Business State, or Province and Country Address 
Business Country Address 
Preferred Address 



Sub-system 


Pll data element 




Home Phone 




Business Phone 




Mobile Phone 




Other Phone 




Preferred Phone 




Fax Number 




Email 1 

■>>>>■ III ^ni II 1 




Email 2 




Preferred Email 




Business Name 




Field of Study 


COINS 


Individual's Name 




(Last, First, Second Last, Middle Names; Suffix) 




Gender 




Birth Date 




Phone Number 




Email Address 




Citizenship 




Home otreet Address 




Home uity Address 




Home btate and zip uode, or 




Province and Countrv Address 




Host Organization 




Host Organization Address 




Medical Notes (If any...) 




Accident and Sickness Program coverage inception 


English Language Specialists 


Individual s Name 


(ELS) 


(Last, First, Second Last, Middle Names; Suffix) 




Alias 




Home Street Address 




Home City Address 




Home otate, or rrovince and uountry Address 




Home Email address 




Home Fax 




Home Phone Numbers 




Home Homepage (URL) 




Title 




Position 



Sub-system 


Pll data element 




Institution 




business Address 




Business Email 




business uity 




Business State 




1 J ■ ■ XX ■ t«X XX ^> ^> t XX I | fc-"*\ 4* / 

business uountry 




1 J 1 1 o 1 l»"X XX XX XX 1 yvx XX 1 1 

business tmaii 




business Homepage 




render 




riuent Languages 




expertise 




1 J ^"X XX XX X% ^4" IX 1 XX VX<X XX 

Passport Name 




1 J XX XX XX XX t^A* IV 1 I ■ VV> I^X XX IX 

rassport Number 




Passport Issue Date 




1 1 XX XX XX t/"\ XX fc<"4" 1 X A V\ 1 l*" XX 4" 1 xx, ^x x"J XX 4" XX, 

rassport expiration date 




Uitizen lype 




Social Security Number 




Date of Birth 




Birth Citv and Countrv 




Medical problems 




Resume 




Publications 




References 


Eureka 


1 /-J 11 f 1 x-J I 1 XX 1 ' xx IV 1 XX VXX XX 

individual s Name 




/ 1 ^« A 1 ■ ix xx 4* l\ #1 i xJ xJ 1 xx IV 1 xx bv> xx xx ■ C * ■ ■ 4* 4* i % # \ 

(Last, hirst, Middle Names, outtix) 




Nickname 




Birth Date 




1 M I |X 4" L"X I XX I ■ VX 4" IX* / 

birtn uountry 




birtn uity 




Birth State 




Birth Province 




f 1 4* 1 T XX Xt XX Ux 1 fc"X f XX 1 ■ I'X 4* # 

umzensnip uountry 




1 j s*\ xx i xJ xx ►•x xx xx # xx i ■ fx 4* ^\ / 

Hesidence uountry 




Naturalization Date 




Professional Title 




Organization Affiliations 




Passport Number 




Passport Expiration 



Sub-system 


Pll data element 




Sex 




Marital Status 




Disabled / Disabilities 




Home Street Address 




Home City Address 




Home btate and zip uoae, or 




rrovince ana uountry Aaaress 




rnone 




bmaii 




visa i ype 




Subject/Field of Study 




Language Capabilities (Reading, Writing, Speaking) 




Social Securitv Number 




Occupation 




Comments 




Travel Itineraries 




Expertise Types and Levels (1-5) 


Exchange Visitors Database - 


Individual's Name 


Enhanced (EVDB-E) 


Organization / Institution Name 
Business Street Address 
Business Citv Address 

Business State and Zip Code, or Province and Country 
Business Phone 
Business Email 
Gender 


Executive Office Suite - EOS 


Individual's Name 

(Last, First, Second Last, Middle Names; Suffix) 

Familiar Name 

Phone Number 

Email Address 

Home Street Address 
Home City Address 

Home btate, or Province ana uountry Aaaress 
Organization (employer) Name 
Organization Address 
Organization Position 



Sub-system 


Pll data element 




Organization Contact Individual s Name 


IV Upcoming Projects, 


Individual's Name 


Online Resource Directory, 


(rreiix, Last, hirst) 


I itie 


ORDIV 




work rnone Number 




worK bmaii 




urganization Name 




urganization otreet Auuress (Lines l ,^,o) 




urganization uity Aaoress 




urganization otate Aaoress 




Oraanization Zio Code Address 




Organization Country Address 




Organization Phone 




Organization Email 




Organization Website 


NPA-CIV 


1 a^aa. aaahl mm mm aaatl m m aaaa. 1 ^ aaak ^V 1 aaaa aaBka^a arah 

Individual s Name 




Organization / Institution Name 




Oraanization Phone 

>-/ 1 \mA wAI 1 I^Uill %•/ III II V_/ 1 1 V./ 




Organization Email 




Business Phone 




Business Email 




Bio 


State Alumni Website 


Email Addresses 




f ^ ■ ■ aaaa -aa, 1,-a, jaa, ■ ui. f ""V — a. _ a _aaa | a m a 

Citizenship Country 




Date of Birth 




Prefix 




1 ■ ak aaal ■ ■ mm A 1 ■ ■ 1 ^ ak a^a. 1 ak f 4-ai 4-ai M 

Individual s Name 




m 1 ■ ■ al aaa. aaa as 1 _ - J L I JL m ■ B ^_^ | I ^ _w ak aaa 1% II - aaa.1 I .aa* IV 1 A _a»fc aaa aaa. A ai ■ ■ a a aaa aaa a a a \ 

(Prefix; Last, First, Second Last, Middle Names; Suffix) 




L a""a a""a CVi Jll 1 A / 1 A l^«>-« ill M IV 1 A ■ -IT. _«a. 

becond Last/ramily Name 




Maiden Name 




wnere ao you live • 




Gender 




Proaram Name 

■ ■ ^mW \mA ■ III IV I 1 1 




Program Start and End Dates 




Field of Study 




Photo 




Phone 



Sub-system 


Pll data element 




Mobile Phone 




IUU 




a i h a i r~\ 

AIM ID 




Yahoo ID 




MbN IU 




User generated bio 




Hobbies 




Professional/Academic interests 




Primary Website 




Address, Current 




Address, Permanent 



The second level of Pll data on U.S. citizens is solely official contact information of 
U.S. federal employees. The ECA-PMOS child systems that fall within this category 
are listed in the table immediately below. Of the systems in this table, all but English 
Language Fellows and Federal Exchanges Data System also contain Pll data on non- 
US citizens. 



Sub-system 


Pll data element 


Access Microscholarship 
Program 


Individual's Name 
Business Address 
Business Phone Number 
Business Email 


Alumni Affairs Management 
System 


Individual's Name 
Business Address 
Business Phone Number 
Business Email 


E-Teacher 


Individual's Name 
Business Address 
Business Phone Number 
Business Email 


English Language Fellows (ELF) 


Individual's Name 
Phone Number 
Email Address 


Exchange Visitor Information 


Individual's Name 



System (EVIS) 


(First, Last) 




Business Name 




Business Address 




Business Phone Number 


Federal Exchanges Data System 


inoiviauai s Name 


(FEDS) 


(rreiix, Last, hirst) 




urganization Name 




urganization otreet Address (Lines l ,^,o) 




urganization uity Address 




urganization btate Address 




urganization zip uode Address 




urganization uountry Address 




Oraanization Phone 




Organization Fax Number 




Organization Cell Phone Number 




Organization Email 




Organization Website 



The third level of PI I data is solely collected on non-U. S. citizens. The ECA-PMOS 
systes that falls within this category is: 

FSA Eurasia; 

- Post EVDB Web; and 

- Sevis-Lite. 

The PI I data has several sources, including individuals, depending on the Exchange 
Program. All involve either direct collection of information or use of data already 
collected by or for the U.S. Department of State. 

♦ Data is provided by Public Diplomacy staff at the Embassy, after prior 
collection from the individuals. 

♦ Data is collected from individuals by NGO's acting under contract to 
Department of State. NGOs then provide that data to Department of State. 

♦ Data is entered directly by individuals into a form on a Department of State 
website. 

♦ Data is copied from one of the component information systems to another 
component information system for a use related to the original reason for the 
data collection. 

b. How is the information collected? 

AEIS II collects data as direct online input by Department of State ECA Academics 
Exchange Specialists or by email sent from Grantee Organizations managing the 
Exchange Program. There is no direct access into the system other than via the 
Department's intranet network. 



Alumni Archive has data automatically loaded from other Department Academic 
Exchange systems (ie, EVDB-E, AEIS II, Eureka). Also Posts and Program Agencies 
(under contact with the Department) email or mail the information to the Alumni Archive 
system manager to upload into Alumni Archive. The information is sent upon request by 
the system manager or as a condition of the grant. 

COINS collects ASPE enrollment information directly from Program Agencies who email 
the information or who manually enter the data online. The information is also collected 
automatically from other Department authorized systems. Exchanges Participants and 
Grantees do NOT access COINS directly. 

English Language Fellows collects the Department employees official contact 
information by entering the data online directly into the system. The Grantee 
Organization cannot update any data but it can view the data. 

English Language Specialists collects information on speakers directly from each 
candidate via a web form or indirectly when the information is emailed by the candidate 
to the English Language Programs Office that manages the Program. 

Eureka collects information from Department Program staff via online manual input, 
automatically from other Department systems and automatically from the Department of 
Homeland Security's SEVIS system. 

EVDB -E collects business contact information of US Citizens who are contracted with 
Program Agencies / Grantee Organizations or employed by the Department of state via 
online manual input by the contacts themselves or by staff in the supporting Program 
office. 

EVIS has not collected any new information since 2004 when it was retained in read- 
only mode for its historical account of Exchanges. 

EOS collects information via manual online entry by Department of State's ECA Budget 
and Grants Offices. 

FSA Eurasia has not collected any new information since 2008 when it was retained in 
read-only mode for its historical account of Exchanges. It's Participant data will be 
migrated into AEIS II after which time it will be retired as a system. 

IV Upcoming Projects, Online Resource Directory, ORDIV, NPA-CIV collect data as 
direct input by the individuals in the respective organizations reported or by staff in those 
organizations. 

State Alumni collects information directly from public individuals (alumni of Exchange 
programs, U.S. host families, Department of State personnel) at the time they create 
their accounts to access the system. On some occasions, the Alumni Affairs office staff 
use existing lists of Program participants to create user accounts in bulk, but individuals 
must still activate their account or their data is deleted from the system after two months. 
Until accounts are activated and verified by the subject individual, the corresponding 
account information is only visible to administrators (ECA Alumni Affairs Office and the 
ECA front office). Registering Alumni must indicate if they choose to have authorized 
Department of State staff contact them regarding their Program participation, and they 
must also indicate if they choose to have their profile marked as "public" versus "private". 
A "public" option allows authorized Department of State staff to view the Participant's 
profile. Users have full control over the privacy of their account information. 

For ECA-PMOS systems covered in this document that collect contact information 
on the federal workforce, that contact data is either entered in the systems by the 



subjects themselves or is entered by Department of State staff supporting the respective 
program and office from the global address list. 

c. Why is the information collected and maintained? 

The information is collected and maintained to provide contracted Program Agencies or 
Grantee Organizations with sufficient data to contact and evaluate an Exchange nominee 
or participant, and to provide the public with contact information at Grantee organizations 
regarding programs of interest. 

d. How will the information be checked for accuracy? 

Information collected directly from the record subject is presumed to be accurate. The 
contact information about an individual is collected from Department of State records and 
interviews with the subject individual. 

e. What specific legal authorities, arrangements, and/or agreements define the 
collection of information? 

• 5 U.S.C. 301 (Management of the Department of State); 

• 22 U.S.C. 1431 et seq. (Smith-Mundt ); 

• United States Information and Educational Exchange Act of 1948, as amended; 

• 22 U.S.C. 2451-58 Fulbright-Hays Mutual Educational and Cultural Exchange 
Act of 1961, as amended; 

• 22 U.S.C. 2651 a (Organization of the Department of State); and 

• 22 U.S.C. 3921 (Management of the Foreign Service). 

f. Privacy Impact Analysis: Given the amount and type of data collected, 
discuss the privacy risks identified and how they were mitigated. 

Information collected and maintained by ECA-PMOS systems is the minimum amount of 
information necessary to identify potential and awarded Grantees and Participants for 
Exchange Programs. Basic contact information is necessary to contact the subject 
individual or submitter if needed. 

Because Personally Identifiable Information is collected and maintained by ECA-PMOS, 
appropriate management, technical and operation security controls are in place to 
ensure the confidentiality and integrity of the data. Access is available only to authorized 
Department of State employees performing sanctioned duties. Users must pass a 
government background check prior to having system access. Annual, recurring 
security training is practiced and conducted through Diplomatic Security. Access to 
computerized files is password-protected. The computerized files are available only on 
the Department of State intranet or on the internet but hosted internally at the 
Department of State or an authorized, contracted off-site hosting facility. 



4. Uses of the Information 

a. Describe all uses of the information. The information is used to: 

• evaluate and award nominees / candidates of Department of State Exchange 
programs, 



• process the Participant through the subject Exchange program, 

• provide official contact information to the public for Exchange programs 

• generate reports used by Department of State managers and staff in the 
management of an Exchange program 

• allow Department of State and contacted Grantee organizations to contact current 
Exchange participants and alumni of Exchange programs 

• fulfill requirements of the Department of Homeland Security. 

There is no placement of Personally Identifiable Information on portable computers. 
Authorized system users who telecommute can only access the system through the 
Department of State's secure access using the ONE system with two-factor 
authentication where one of the factors is provided by a fob with a use-once password. 

b. What types of methods are used to analyze the data? What new information may 
be produced? 

The data in ECA-PMOS is not used for analytical purposes. No new information may be 
produced, except high-level statistics for program reporting purposes sent to the White 
House and Congress as required or published on the Federal Exchanges Data System 
website. 

c. If the system uses commercial information, publicly available information, or 
information from other Federal agency databases, explain how it is used. 

ECA-PMOS does not use commercial information, publically available information, or 
information from other Federal agency database when processing information on U.S. 
citizens. 

d. Are contractors involved in the uses of the Pll? 

Contractors are involved with the operational maintenance of the system. Contractors 
use the data in ECA-PMOS consistent with the statutory purposes, and do not produce 
any additional data. Privacy Act contract clauses are inserted in their contracts and 
other regulatory measures are addressed. Rules of Behavior have been established 
and training regarding the handling of Pll information under the Privacy Act of 1974, as 
amended. 

Contractors are employed by the U.S. Department of State within the Bureau of 
Educational and Cultural Affairs as members of staff to support Bureau programs. All 
contractors, whether technical or direct program support, must pass a government 
background check prior to having system access. Annual, recurring security training is 
practiced and conducted through Diplomatic Security. 

e. Privacy Impact Analysis: Describe the types of controls that may be in place to 
ensure that information is handled in accordance with the above uses. 

Data collected and maintained by the ECA-PMOS is only used for purposes of 
managing the respective Exchange program, for fulfilling the program requirements and 
for ECA internal task assignments. The information is not analyzed or disseminated for 



any other purpose. ECA-PMOS does not provide flexibility of features that might initiate 
a functional vulnerability creep or threat. 

Authorized employees are assigned level-of-access roles based on their job functions. 
Rose limit the update and printing capabilities to those deemed necessary for specified 
job functions. 



5. Retention 

a. How long is information retained? 

These records will be maintained until they become inactive, at which time they will be 
destroyed or retired in accordance with published record schedules of the Department of 
State and as approved by the National Archives and Records Administration. For 
detailed descriptions of the appropriate record disposition schedules, see Domestic 
Records Disposition Schedules Chapter 36: Bureau of Educational and Cultural Affairs 
Office of Academic Exchange Programs (ECA/A/E). 

e. Privacy Impact Analysis: Discuss the risks associated with the duration that data is 
retained and how those risks are mitigated. 

A potential risk may occur when an Alumni has out-dated information in State Alumni. 
This risk is mitigated through the requirement that the Alumni update their own profile in 
the system for correctness and completeness. 



6. Internal Sharing and Disclosure 

a. With which internal organizations is the information shared? What information is 
shared? For what purpose is the information shared? 

For Participants on Programs where their Grant provides health benefits through the 
Department's self-insured Accident and Sickness Program for Exchanges (ASPE), the 
Participants data is automatically fed into the COINS system. Where the automated 
data feed is not established, responsible Program offices can manually enroll online their 
Program Participants into ASPE. With the exception of the ASPE Administrators, staff 
managing a particular Program is restricted to access data on individuals participating in 
their particular Program. The Participants no do have access to COINS. Data shared is 
the Participants name, contact information (home and mailing addresses, email), 
gender, birth date, citizenship and ASPE coverage dates. 

All ECA Exchange offices provide (electronic feeds or manual input) Participant bio, 
contact and Program data to the Exchanges Statistical Management System (ESMS) 
administered by the ECA Executive Office. ESMS aggregates the Participant data into 
high-level program data for reporting to Congress and the public. It does not report any 
individual's information,. ESMS does not store any Participant personal data fed into the 
system; it merely categorizes and summarizes the data to report at the Program level. 

The Offices of Citizen Exchanges, International Visitors and Academic Exchanges 
provide Participant data to the Alumni Affairs office for inclusion in the Alumni Archive 
database. The data is available to authorized Department employees on the 
Department's intranet and used to re-engage with alumni and maintain up-to-date 



records to facilitate public diplomacy outreach. Bureau staff access the database for 
statistical data on participants to be used in Congressional testimony or results 
reporting. 

b. How is the information transmitted or disclosed? What safeguards are in place for 
each sharing arrangement? 

All information is transmitted via automated electronic feeds or via manual online input. 

c. Privacy Impact Analysis: Describe risks to privacy from internal sharing and 
disclosure and describe how the risks are mitigated. 

When shared within the Department, all information is still used in accordance with ECA- 
PMOS stated authority and purpose. Risks to privacy are mitigated by granting access 
only to authorized persons. 

All employees of the Department of State have undergone a thorough personnel security 
background investigation. Access to Department of State facilities is controlled by 
security guards and admission is limited to those individuals possessing a valid 
identification card or individuals under proper escort. All records containing personal 
information are maintained in secured-file cabinets or in restricted areas, access to 
which is limited to authorized personnel. Access to computerized files is password- 
protected and under the direct supervision of the system manager. The system 
manager has the capability of printing audit trails of access from the computer media, 
thereby permitting regular ad hoc monitoring of computer usage. 



7. External Sharing and Disclosure 

a. With which external organizations is the information shared? What 
information is shared? For what purpose is the information shared? 

Privacy Data on non-US Citizens is sent to the SEVIS system at the Department of 
Homeland Security from the following systems: AEIS II, Eureka, EVDB and EVDB-E. 
The Department of Homeland Security requires electronic submission of Visa and J1 
Visa applications. This data is provided to Homeland Security by the ECA-PMOS 
system to aid that agency in processing these individuals at their point-of-entry into the 
U.S. 

Data is also shared with Grantee organizations under the terms of their Grant. They are 
restricted to access data on individuals that are applicants, candidates or participants on 
their Program. Information is shared to confirm ASPE enrollments, re-engage alumni 
and abide by federal regulations involving visits by non-US citizens. Data is also shared 
to provide Program contact information. 

b. How is the information shared outside the Department? What safeguards are 
in place for each sharing arrangement? 

Systems sending data to and from Homeland Security do so through a web service 
using HTTPS protocol that enforces encryption. 

Grantee organizations are required to authenticate their credentials to access ECA- 
PMOS systems through a unique login ID and encrypted password. Each organization 
can only access data on participants enrolled in their respective grant programs. 



Where individual participants are authorized to access their own participant records via 
the internet, as in the case of State Alumni, the participants have exclusive control as to 
who can view their personal and program information. Participants must also grant 
Department of State employees permission to contact them regarding past and potential 
upcoming programs. 

There is no anonymous access to ECA-PMOS systems containing personal information 
outside the Department. 

c. Privacy Impact Analysis: Describe risks to privacy from external sharing and 
disclosure and describe how the risks are mitigated. 

Risks to privacy are mitigated by limited access to and release of personal information 
on a need-to-know basis or as in the case of State Alumni, as authorized explicitly by the 
individual alumni. 

8. Notice 

The system: 

contains information covered by the Privacy Act. 

Provide number and name of each applicable systems of records. 

(visit www. state. gov/m/a/ips/c25533. htm for list of all published systems): 

Educational and Cultural Exchange Program Records. STATE-08 

Overseas Records. STATE-25 



does NOT contain information covered by the Privacy Act. 



a. Is notice provided to the individual prior to collection of their information? 

A Privacy Act Statement is available for those individuals that provide this information by 
form and notice is given through 

b. Do individuals have the opportunity and/or right to decline to provide 
information? 

The individual may decline to provide the required information; however, such actions 
may prevent them from participating in Exchanges programs. 

c. Do individuals have the right to consent to limited, special, and/or specific 
uses of the information? If so, how does the individual exercise the right? 

Conditional consent is not applicable to the official purpose of ECA-PMOS except in the 
case of State Alumni where individuals control if they allow Department staff to contact 
them and if they want their program participation accessed by the public. 

d. Privacy Impact Analysis: Describe how notice is provided to individuals and 
how the risks associated with individuals being unaware of the collection are 
mitigated. 



Notification is provided to the Public via System of Records Notices STATE-08 and 
STATE-25. 

9. Notification and Redress 

a. What are the procedures to allow individuals to gain access to their 
information and to amend information they believe to be incorrect? 

Individuals who wish to gain access to or amend records pertaining to themselves 
should write to the Director, Office of Information Programs and Services; Department of 
State; SA-2; 515 22nd Street NW; Washington, DC 20522-6001. The individual must 
specify that they wish the Cultural Property Advisory Committee Records to be checked. 
At a minimum, the individual should include: Name; date and place of birth; social 
security number; current mailing address and zip code; signature; a brief description of 
the circumstances that caused the creation of the record, and the approximate dates 
which give the individual cause to believe that the Office of International Information 
Programs has records pertaining to them. 

b. Privacy Impact Analysis: Discuss the privacy risks associated with 
notification and redress and how those risks are mitigated. 

Procedures are available for individuals to access or amend records they believe are 
incorrect. The notice is reasonable and adequate in relationship to the system's 
purpose and use. 



10. Controls on Access 

a. What procedures are in place to determine which users may access the 
system and the extent of their access? What monitoring, recording, and 
auditing safeguards are in place to prevent misuse of data? 

The level of access and capabilities permitted is restricted by the role assigned to each 
individual user. Some users are granted read-only access if they have no need to 
update system records. The separation of roles with different access privileges is in 
accordance with NIST Special Publication 800-53. 

All authorized staff using the system must comply with the Department of State's general 
"appropriate use policy for information technology". Rules of behavior and 
consequences, and system use notifications are in accordance with the Privacy Act 
(subsection e[9] ) and OMB Circular A-130, Appendix III. 

The security controls in the system are reviewed when significant modifications are 
made to the system, but at least every three years. 

Access to ECA-PMOS is restricted to Department of State personnel, Grantee 
organizations under contractual terms of their Grant and to the public where publication 
of their personal information, as in the case of State Alumni, is determined by the 
individual. 

Department of State system users must pass a government background check prior to 
having system access. At a minimum, they must possess a security clearance level of 



confidential, with secret preferred. Annual, recurring security training is practiced and 
conducted through Diplomatic Security. 

Authorized user login identifiers are appended to any system records created or 
updated, along with the date and time of the record creation or change. This allows 
administrators to identify the source of any incorrect of incomplete data as recorded in 
the system. 

Contractors authorized to access the system are governed by contracts identifying rules 
of behavior for Department of State systems and security. Contracts are reviewed upon 
renewal by management and contract personnel expert in such matters. 

b. What privacy orientation or training for the system is provided authorized 
users? 

Annual, recurring security training is practiced and conducted through the Bureau of 
Diplomatic Security 

c. Privacy Impact Analysis: Given the sensitivity of Pll in the system, manner of 
use, and established access safeguards, describe the expected residual risk 
related to access. 

Several steps are taken to reduce residual risk related to system and information 
access. Access control lists, which define who can access the system, and at what 
privilege level, are regularly reviewed, and inactive accounts are promptly terminated. 
Additionally, the system audit trails that are automatically generated are regularly 
analyzed and reviewed to deter and detect unauthorized uses. (An audit trail provides a 
record of which particular functions a particular user performed-or attempted to perform- 
-on an information system.) 

The certification and accreditation process independently verifies and validates the 
application system security controls. Administrative procedures, including independent 
security investigations of Department applicants and assignment of unique system 
access rights to individuals, limit access to the system. 

There is little residual risk related to access, in particular because the system is 
available only on a Department of State intranet and there is minimal and controlled 
direct electronic transfer of data between IIP-PMOS and hosts accessible to external 
organizations or individuals. 



11. Technologies 

a. What technologies are used in the system that involve privacy risk? 

All hardware, software, middleware and firmware are vulnerable to risk. There are 
numerous management, operational and technical controls in place to mitigate these 
risks. Applying security patches and hot-fixes, continuous monitoring, checking the 
national vulnerability database, following and implementing sound federal, state, local, 
department and agency policies and procedures are only a few of safeguards 
implemented to mitigate the risks to any information technology. 



b. Privacy Impact Analysis: Describe how any technologies used may cause 
privacy risk, and describe the safeguards implemented to mitigate the risk. 

Information is transmitted via email quite frequently. A potential risk includes an email 
containing personally identifiable information inadvertently sent to an unauthorized 
recipient. 

To mitigate this risk, Department of State staff receives training and notifications warning 
of phishing scams to obtain personal data. 

12. Security 

What is the security certification and accreditation (C&A) status of the system? 

As a component system to the Educational and Cultural Affairs Program Management 
and Outreach System, ECA-PMOS was granted Full Accreditation at the Sensitive-But- 
Unclassified (SBU) level in May 2007. The authorization is valid for up to 36 months. 
This Accreditation expires on May 31 , 2010, or upon significant change to the system, 
application, or environment. 



